Without seeing and knowing your data, it might be hard for us to give you good advice. We'll say "try this" and you'll probably say "that won't work because...". But nonetheless, here are some thoughts:
It looks like you do most of your processing after you filter down to just the AAA9999 events. But can we flip that approach? Can you perform that logic at the event level. And then use just stats to do the filtering. For example, what about determining if an event is an AAA9999. Then set the Description fields accordingly - nothing if not that event or what they should be otherwise.
And when you do your stats, then the description list should already be what you need it to be. And you can also count the number of AAA9999 events specifically. From there, you can just filter on AppNames you're interested in and shouldn't have to do much more processing.
Something like this maybe:
index="ibb" (host="xx" OR host="yy")
| eval is_AAA9999 = if(match(AppName_Value,"AAA9999"),1,0)
| eval Month_Value = strftime(_time, "%m-%Y")
| rex max_match=100 "Rejected From: (?<reject_from>.*?)&lt;br"
| rex mode=sed field=reject_from "s/&lt;/ /g"
| rex mode=sed field=reject_from "s/&gt;/ /g"
| eval Description = if(is_AAA9999=1,reject_from,"")
| eval Line_10_Description = if(Description like "%/010%",Description,"")
| eval Line_19_Description = if(Description like "%/019%",Description,"")
| stats values(Description) as Description, values(Line_10_Description) as Line_10_Description, values(Line_19_Description) as Line_19_Description, values(State_Value) as State_Value, values(AppName_Value) as AppName_Value_list, count(eval(is_AAA999=1)) as total_events by EVE_INCIDENT_LOCATOR_NM
| search AppName_Value_list="*AAA9999*" AND AppName_Value_list="*WSQ0001*"
Again, this may not work exactly with your data, but hopefully it will give you some ideas. Sometimes thinking in order of how we would do things isn't always the best order for how Splunk should do them.
Also, if you have to do this on a regular basis, maybe run a search on a regular basis to create a lookup of the EVE_INCIDENT_LOCATOR_NM values that meet the criteria - especially if this search is going to run over a previous timeframe, like last month.
And of course, you could try doing something similar with a subsearch, but not sure how efficient that would be either.
... View more